Fannie Mae 2004 Annual Report Download - page 208

Download and view the complete annual report

Please find page 208 of the 2004 Fannie Mae annual report below. You can navigate through the pages in the report by either clicking on the pages listed below, or by using the keyword search tool below to find specific information within the annual report.

Page out of 358

  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7
  • 8
  • 9
  • 10
  • 11
  • 12
  • 13
  • 14
  • 15
  • 16
  • 17
  • 18
  • 19
  • 20
  • 21
  • 22
  • 23
  • 24
  • 25
  • 26
  • 27
  • 28
  • 29
  • 30
  • 31
  • 32
  • 33
  • 34
  • 35
  • 36
  • 37
  • 38
  • 39
  • 40
  • 41
  • 42
  • 43
  • 44
  • 45
  • 46
  • 47
  • 48
  • 49
  • 50
  • 51
  • 52
  • 53
  • 54
  • 55
  • 56
  • 57
  • 58
  • 59
  • 60
  • 61
  • 62
  • 63
  • 64
  • 65
  • 66
  • 67
  • 68
  • 69
  • 70
  • 71
  • 72
  • 73
  • 74
  • 75
  • 76
  • 77
  • 78
  • 79
  • 80
  • 81
  • 82
  • 83
  • 84
  • 85
  • 86
  • 87
  • 88
  • 89
  • 90
  • 91
  • 92
  • 93
  • 94
  • 95
  • 96
  • 97
  • 98
  • 99
  • 100
  • 101
  • 102
  • 103
  • 104
  • 105
  • 106
  • 107
  • 108
  • 109
  • 110
  • 111
  • 112
  • 113
  • 114
  • 115
  • 116
  • 117
  • 118
  • 119
  • 120
  • 121
  • 122
  • 123
  • 124
  • 125
  • 126
  • 127
  • 128
  • 129
  • 130
  • 131
  • 132
  • 133
  • 134
  • 135
  • 136
  • 137
  • 138
  • 139
  • 140
  • 141
  • 142
  • 143
  • 144
  • 145
  • 146
  • 147
  • 148
  • 149
  • 150
  • 151
  • 152
  • 153
  • 154
  • 155
  • 156
  • 157
  • 158
  • 159
  • 160
  • 161
  • 162
  • 163
  • 164
  • 165
  • 166
  • 167
  • 168
  • 169
  • 170
  • 171
  • 172
  • 173
  • 174
  • 175
  • 176
  • 177
  • 178
  • 179
  • 180
  • 181
  • 182
  • 183
  • 184
  • 185
  • 186
  • 187
  • 188
  • 189
  • 190
  • 191
  • 192
  • 193
  • 194
  • 195
  • 196
  • 197
  • 198
  • 199
  • 200
  • 201
  • 202
  • 203
  • 204
  • 205
  • 206
  • 207
  • 208
  • 209
  • 210
  • 211
  • 212
  • 213
  • 214
  • 215
  • 216
  • 217
  • 218
  • 219
  • 220
  • 221
  • 222
  • 223
  • 224
  • 225
  • 226
  • 227
  • 228
  • 229
  • 230
  • 231
  • 232
  • 233
  • 234
  • 235
  • 236
  • 237
  • 238
  • 239
  • 240
  • 241
  • 242
  • 243
  • 244
  • 245
  • 246
  • 247
  • 248
  • 249
  • 250
  • 251
  • 252
  • 253
  • 254
  • 255
  • 256
  • 257
  • 258
  • 259
  • 260
  • 261
  • 262
  • 263
  • 264
  • 265
  • 266
  • 267
  • 268
  • 269
  • 270
  • 271
  • 272
  • 273
  • 274
  • 275
  • 276
  • 277
  • 278
  • 279
  • 280
  • 281
  • 282
  • 283
  • 284
  • 285
  • 286
  • 287
  • 288
  • 289
  • 290
  • 291
  • 292
  • 293
  • 294
  • 295
  • 296
  • 297
  • 298
  • 299
  • 300
  • 301
  • 302
  • 303
  • 304
  • 305
  • 306
  • 307
  • 308
  • 309
  • 310
  • 311
  • 312
  • 313
  • 314
  • 315
  • 316
  • 317
  • 318
  • 319
  • 320
  • 321
  • 322
  • 323
  • 324
  • 325
  • 326
  • 327
  • 328
  • 329
  • 330
  • 331
  • 332
  • 333
  • 334
  • 335
  • 336
  • 337
  • 338
  • 339
  • 340
  • 341
  • 342
  • 343
  • 344
  • 345
  • 346
  • 347
  • 348
  • 349
  • 350
  • 351
  • 352
  • 353
  • 354
  • 355
  • 356
  • 357
  • 358

governing information technology security and access. Furthermore, we did not maintain effective logging
and monitoring of servers and databases to ensure that access was both appropriate and authorized.
Change Management
We did not maintain effective controls designed to ensure that information technology program and data
changes were authorized and that the program and data changes were adequately tested for accuracy and
appropriate implementation.
End User Computing
We did not maintain effective controls over end user computing (“EUC”) applications, such as
spreadsheets. Specifically, controls were not designed and in operation to ensure that access to these
applications was restricted to appropriate personnel and that changes to data or formulas were authorized.
Independent Model Review Process
We identified a material weakness as of December 31, 2004 related to the design of our internal control over
financial reporting related to our independent model review process. Specifically, we did not independently
review that: (i) the models and assumptions used to produce our financial statements were appropriate; and
(ii) that outputs used to produce our financial statements were calculated accurately according to the model
specifications. Our loan loss allowance, amortization, guaranty and financial instrument valuation processes
each used models and, as discussed in “Item 7—MD&A—Restatement,” we incorrectly valued our derivatives,
mortgage loan and security commitments, security investments, guaranties and other instruments.
Treasury and Trading Operations
We identified a material weakness as of December 31, 2004 related to the design of our internal control over
financial reporting related to our treasury and trading operations. Specifically, our internal control over
financial reporting was inadequate with respect to the process of authorizing, approving, validating and settling
trades, including inadequate segregation of duties among trading, settlement and valuation activities within
both our treasury and trading operations.
Pricing and Independent Price Verification Processes
We identified a material weakness as of December 31, 2004 related to the design of our internal control over
financial reporting related to our pricing and independent price verification processes. Specifically, our internal
control over financial reporting was inadequate with respect to the process used to price assets and liabilities,
and did not maintain appropriate segregation of duties between the pricing function and the function
responsible for independently verifying such prices.
Wire Transfer Controls
We identified a material weakness as of December 31, 2004 related to the design of our internal control over
financial reporting related to our wire transfer function. Specifically, the design of our internal control over
financial reporting was insufficient with respect to the initiation, authorization, segregation of duties and anti-
fraud measures related to wire transfer transactions and with respect to the reconciliation of cash balances and
wire transfer activity. In addition, approvals were not consistent with approval policies and funds movements
lacked verifications.
Report of Independent Registered Public Accounting Firm
In January 2005, we engaged Deloitte & Touche LLP (the independent registered public accounting firm that
audited the consolidated financial statements included in this Annual Report on Form 10-K for the year ended
December 31, 2004) to audit management’s assessment of the effectiveness of our internal control over
financial reporting as of December 31, 2004. Deloitte & Touche’s report disclaimed an opinion on
management’s assessment of the effectiveness of our internal control over financial reporting as of
December 31, 2004 because:
we did not engage Deloitte & Touche until after December 31, 2004;
203